PDA

View Full Version : I have several trojans, please help.


Skull001
2009-03-13, 15:49
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:18 AM, on 3/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\skull\Desktop\HiJackThis\smartscanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uedit32.exe,C:\WINDOWS\system32\symstore.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229559034382
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

--
End of file - 4236 bytes
Blade81
2009-03-15, 11:38
Hi

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.
Skull001
2009-03-15, 22:58
Hello,

Thanks for getting back to me. Here are the logs you requested.


DDS (Ver_09-02-01.01) - NTFSx86
Run by skull at 13:51:40.94 on Sun 03/15/2009
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.204 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\skull\Desktop\dds.scr

============== Pseudo HJT Report ===============

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-12 213640]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-12 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\McShield.exe [2008-6-12 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-12 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-12 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-12 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-12 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-12 34216]

=============== Created Last 30 ================

2009-03-12 22:54 116,224 a------- c:\windows\sed.exe
2009-03-12 22:54 <DIR> --d----- C:\ComboFix
2009-03-12 07:15 <DIR> --d----- c:\docume~1\skull\applic~1\Malwarebytes
2009-03-12 07:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-12 07:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-12 07:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-12 07:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-12 06:59 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-03-12 06:56 6 a------- c:\windows\_id.dat
2009-03-12 06:56 128 a------- c:\windows\adobe.bat
2009-03-11 17:07 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-11 17:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-10 22:21 130,150 a------- c:\windows\system32\adx.exe

==================== Find3M ====================

2009-03-14 21:33 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-03-10 07:18 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-01 00:35 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-19 18:13 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-01-01 13:20 1,632 a------- c:\windows\system32\d3d8caps.dat
2008-12-20 16:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-18 09:27 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 13:52:37.61 ===============




==== System Restore Points ===================

RP1: 3/12/2009 10:03:19 PM - System Checkpoint
RP2: 3/13/2009 9:36:20 PM - Software Distribution Service 3.0

==== Installed Programs ======================


==== Event Viewer Messages From Past Week ========

3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/11/2009 8:38:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
3/11/2009 8:38:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/11/2009 4:03:44 PM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
3/11/2009 8:39:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips IPSec mfehidk MPFP MRxSmb NetBIOS NetBT P3 RasAcd Rdbss Tcpip
3/11/2009 9:16:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
3/12/2009 5:57:04 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips P3
3/12/2009 7:52:37 AM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
3/12/2009 9:47:01 AM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
3/12/2009 3:35:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips mfehidk P3
3/12/2009 9:54:24 PM, error: SRService [104] - The System Restore initialization process failed.
3/12/2009 9:54:24 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
3/14/2009 8:06:22 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
3/13/2009 8:16:36 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
3/13/2009 8:16:41 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.

==== End Of File ===========================
Blade81
2009-03-16, 15:54
Hi

Please post contents of attach.txt file too :)
Skull001
2009-03-17, 08:22
Hello Again,

Here is the attached.txt contents.


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 6/12/2008 3:21:50 PM
System Uptime: 3/15/2009 1:29:11 PM (0 hours ago)

Motherboard: Intel Corporation | | D815EEA
Processor: Intel Pentium III processor | J4L1 | 996/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 19 GiB total, 12.546 GiB free.
D: is FIXED (NTFS) - 298 GiB total, 6.944 GiB free.
E: is CDROM ()
F: is CDROM (CDFS)
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 3/12/2009 10:03:19 PM - System Checkpoint
RP2: 3/13/2009 9:36:20 PM - Software Distribution Service 3.0

==== Installed Programs ======================


==== Event Viewer Messages From Past Week ========

3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/11/2009 8:38:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
3/11/2009 8:38:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/11/2009 4:03:44 PM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
3/11/2009 8:39:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips IPSec mfehidk MPFP MRxSmb NetBIOS NetBT P3 RasAcd Rdbss Tcpip
3/11/2009 9:16:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
3/12/2009 5:57:04 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips P3
3/12/2009 7:52:37 AM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
3/12/2009 9:47:01 AM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
3/12/2009 3:35:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips mfehidk P3
3/12/2009 9:54:24 PM, error: SRService [104] - The System Restore initialization process failed.
3/12/2009 9:54:24 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
3/14/2009 8:06:22 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
3/13/2009 8:16:36 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
3/13/2009 8:16:41 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.

==== End Of File ===========================
Blade81
2009-03-17, 10:19
Do NOT run 'fixes' before helpers have analyzed HJT log (http://forums.spybot.info/showthread.php?t=16806)

Hi

I noticed you've run ComboFix by yourself though it's not recommended. Post contents of ComboFix.txt file back here.
Skull001
2009-03-17, 15:17
Hello

I had a hard time trying to stop McAfee, all sorts of popup alerts from McAfee occurred during the combofix scan, I hope the combofix scan isn't tainted. Here are the scan results.


ComboFix 09-03-15.01 - skull 2009-03-17 6:00:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.323 [GMT -7:00]
Running from: c:\documents and settings\skull\Desktop\Malware Utilities\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PROTECT
-------\Legacy_RESTORE


((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
.

2009-03-12 07:15 . 2009-03-12 07:15 <DIR> d-------- c:\documents and settings\skull\Application Data\Malwarebytes
2009-03-12 07:15 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-12 07:15 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-12 07:14 . 2009-03-12 07:16 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-12 07:14 . 2009-03-12 07:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-12 06:59 . 2009-03-14 21:31 182,656 --a--c--- c:\windows\system32\dllcache\ndis.sys
2009-03-12 06:56 . 2009-03-12 16:44 128 --a------ c:\windows\adobe.bat
2009-03-12 06:56 . 2009-03-12 07:00 6 --a------ c:\windows\_id.dat
2009-03-11 17:07 . 2009-03-13 21:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-11 17:07 . 2009-03-11 17:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-17 09:21 . 2009-02-18 09:53 <DIR> d-------- c:\documents and settings\skull\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 13:09 55,808 ----a-w c:\windows\system32\ipconfig.exe
2009-03-17 13:04 57,856 ----a-w c:\windows\system32\spoolsv.exe
2009-03-17 13:04 1,033,728 ----a-w c:\windows\explorer.exe
2009-03-17 13:03 43,534 ----a-w c:\windows\system32\userinit.exe
2009-03-17 13:02 19,968 ----a-w c:\windows\system32\qprocess.exe
2009-03-17 13:01 8,192 ----a-w c:\windows\system32\winhlp32.exe
2009-03-17 13:01 33,291 ----a-w c:\windows\system32\dmremote.exe
2009-03-17 13:01 27,648 ----a-w c:\windows\system32\conime.exe
2009-03-17 13:01 124,928 ----a-w c:\windows\system32\net1.exe
2009-03-17 13:01 1,414,656 ----a-w c:\windows\system32\mmc.exe
2009-03-17 12:59 19,968 ----a-w c:\windows\system32\route.exe
2009-03-17 12:58 33,282 ----a-w c:\windows\system32\expand.exe
2009-03-17 12:55 135,680 ----a-w c:\windows\system32\taskmgr.exe
2009-03-17 12:53 9,216 ----a-w c:\windows\system32\find.exe
2009-03-17 12:53 56,837 ----a-w c:\windows\system32\grpconv.exe
2009-03-17 12:53 29,705 ----a-w c:\windows\system32\attrib.exe
2009-03-17 12:53 27,136 ----a-w c:\windows\system32\findstr.exe
2009-03-17 12:53 24,576 ----a-w c:\windows\system32\sort.exe
2009-03-17 12:53 17,920 ----a-w c:\windows\system32\ping.exe
2009-03-17 12:53 14,336 ----a-w c:\windows\system32\runonce.exe
2009-03-17 12:52 155,648 ----a-w c:\windows\system32\wscript.exe
2009-03-17 12:52 103,936 ----a-w c:\windows\system32\logagent.exe
2009-03-17 12:51 62,479 ----a-w c:\windows\system32\shmgrate.exe
2009-03-17 12:51 514,560 ----a-w c:\windows\system32\logonui.exe
2009-03-17 12:51 45,568 ----a-w c:\windows\system32\drwtsn32.exe
2009-03-17 12:51 11,776 ----a-w c:\windows\system32\regsvr32.exe
2009-03-17 12:50 45,568 ----a-w c:\windows\system32\mshta.exe
2009-03-17 12:50 33,280 ----a-w c:\windows\system32\rundll32.exe
2009-03-17 12:50 31,744 ----a-w c:\windows\system32\ntsd.exe
2009-03-17 12:50 163,863 ----a-w c:\windows\regedit.exe
2009-03-17 12:48 5,632 ----a-w c:\windows\system32\cisvc.exe
2009-03-17 12:48 33,280 ----a-w c:\windows\system32\clipsrv.exe
2009-03-17 12:48 25,088 ----a-w c:\windows\system32\defrag.exe
2009-03-17 12:42 15,360 ----a-w c:\windows\system32\ctfmon.exe
2009-03-17 12:38 220,672 ----a-w c:\windows\system32\logon.scr
2009-03-17 12:31 44,544 ----a-w c:\windows\system32\alg.exe
2009-03-17 12:30 135,168 ----a-w c:\windows\system32\cscript.exe
2009-03-17 06:26 46,083 ----a-w c:\windows\system32\verclsid.exe
2009-03-17 06:24 150,528 ----a-w c:\windows\system32\imapi.exe
2009-03-17 06:19 69,120 ----a-w c:\windows\system32\notepad.exe
2009-03-15 20:29 --------- d-----w c:\program files\McAfee
2009-03-15 04:33 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-11 05:53 --------- d-----w c:\program files\Passware
2009-03-10 14:18 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-10 14:18 --------- d-----w c:\program files\Java
2009-02-26 15:25 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-11 06:08 --------- d-----w c:\documents and settings\skull\Application Data\Rokario
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-17 15:02 19,879,397 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_12_17_06_50_24_full.dmp.zip
2008-12-17 14:26 21,151,628 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_12_16_23_33_18_full.dmp.zip
.

------- Sigcheck -------

2009-03-17 06:04 1033728 5a4d8cc07e31b75a8faa2ca71a891227 c:\windows\explorer.exe
2009-03-17 06:04 1033216 d78403dde72b995e9935a221d323d46b c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2009-03-17 06:04 1050640 2105f8a69c3501eff39ab6ada0f68655 c:\windows\$NtServicePackUninstall$\explorer.exe
2009-03-17 06:04 1032192 edb9f04ea7f23a802e04774e7eaaa23e c:\windows\$NtUninstallKB938828$\explorer.exe
2009-03-17 06:04 1033728 5a4d8cc07e31b75a8faa2ca71a891227 c:\windows\ServicePackFiles\i386\explorer.exe

2009-03-17 06:10 32777 308efaca62b76ae855021c55a65732ad c:\windows\$NtServicePackUninstall$\ctfmon.exe
2009-03-17 06:11 32770 ad072b71e2d100cb47b1ef6e96c60fc6 c:\windows\ServicePackFiles\i386\ctfmon.exe
2009-03-17 05:42 15360 66bb9ece6fc265c1017439a1a6bb8f39 c:\windows\system32\ctfmon.exe

2009-03-17 06:03 57856 f96661661dc6055125b7f338ef77e3c4 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2009-03-17 06:03 57856 0236d8d8c0315e118feea7ed6c9affeb c:\windows\$NtServicePackUninstall$\spoolsv.exe
2009-03-17 06:03 57856 5fa50e76687c593444dec40eefcb67a4 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2009-03-17 06:03 57856 b80ab4b1a18ec8540b48669273ac14ee c:\windows\ServicePackFiles\i386\spoolsv.exe
2009-03-17 06:04 57856 b80ab4b1a18ec8540b48669273ac14ee c:\windows\system32\spoolsv.exe

2009-03-17 06:03 24576 3f3bda164bbfbcbd2e3f204a1cf1d484 c:\windows\$NtServicePackUninstall$\userinit.exe
2009-03-17 06:03 26112 c26536de363fef4e42a23c20fd6e7fea c:\windows\ServicePackFiles\i386\userinit.exe
2009-03-17 06:03 43534 d6afbe536f5dddc7b0bfe95649ecccc9 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2009-03-12_22.57.54.33 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-06-11 00:17:13 75,264 ----a-w c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
+ 2009-03-17 13:03:55 57,856 ----a-w c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
- 2007-06-13 11:26:03 1,050,624 ----a-w c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
+ 2009-03-17 13:04:12 1,033,216 ----a-w c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
- 2007-06-13 10:23:07 1,050,624 -c----w c:\windows\$NtServicePackUninstall$\explorer.exe
+ 2009-03-17 13:04:10 1,050,640 -c--a-w c:\windows\$NtServicePackUninstall$\explorer.exe
- 2006-02-28 12:00:00 182,656 -c----w c:\windows\$NtServicePackUninstall$\ndis.sys
+ 2006-02-28 12:00:00 182,912 -c----w c:\windows\$NtServicePackUninstall$\ndis.sys
- 2005-06-10 23:53:32 75,264 -c----w c:\windows\$NtServicePackUninstall$\spoolsv.exe
+ 2009-03-17 13:03:54 57,856 -c--a-w c:\windows\$NtServicePackUninstall$\spoolsv.exe
- 2006-02-28 12:00:00 41,984 -c----w c:\windows\$NtServicePackUninstall$\userinit.exe
+ 2009-03-17 13:03:43 24,576 -c--a-w c:\windows\$NtServicePackUninstall$\userinit.exe
- 2006-02-28 12:00:00 75,264 -c----w c:\windows\$NtUninstallKB896423$\spoolsv.exe
+ 2009-03-17 13:03:56 57,856 -c--a-w c:\windows\$NtUninstallKB896423$\spoolsv.exe
- 2006-02-28 12:00:00 1,049,600 -c----w c:\windows\$NtUninstallKB938828$\explorer.exe
+ 2009-03-17 13:04:07 1,032,192 -c--a-w c:\windows\$NtUninstallKB938828$\explorer.exe
- 2005-10-21 03:02:28 184,320 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 03:02:28 184,832 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2009-03-17 13:04:52 166,912 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-04-14 00:12:38 229,376 ----a-w c:\windows\inf\unregmp2.exe
+ 2009-03-17 06:25:41 208,896 ----a-w c:\windows\inf\unregmp2.exe
- 2008-04-13 18:53:32 575,488 ------w c:\windows\network diagnostic\xpnetdiag.exe
+ 2009-03-17 12:50:37 575,506 ----a-w c:\windows\network diagnostic\xpnetdiag.exe
- 2000-08-31 15:00:00 48,128 ----a-w c:\windows\NIRCMD.exe
+ 2009-03-17 13:01:02 31,744 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 15:00:00 179,712 ----a-w c:\windows\SWREG.exe
+ 2009-03-17 12:54:36 162,304 ----a-w c:\windows\SWREG.exe
- 2000-08-31 15:00:00 155,136 ----a-w c:\windows\SWSC.exe
+ 2009-03-17 13:03:27 137,728 ----a-w c:\windows\SWSC.exe
- 2008-04-14 00:12:14 407,040 ----a-w c:\windows\system32\cmd.exe
+ 2009-03-17 12:49:55 389,120 ----a-w c:\windows\system32\cmd.exe
- 2008-04-14 00:12:15 27,136 ----a-w c:\windows\system32\Com\comrepl.exe
+ 2009-03-17 13:01:33 27,151 ----a-w c:\windows\system32\Com\comrepl.exe
- 2008-04-14 00:12:15 23,552 ----a-w c:\windows\system32\Com\comrereg.exe
+ 2009-03-17 13:01:34 6,144 ----a-w c:\windows\system32\Com\comrereg.exe
- 2009-03-13 04:12:08 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-17 12:34:56 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-13 04:12:08 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-17 12:34:56 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-15 05:10:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009031420090315\index.dat
- 2009-03-13 04:12:08 262,144 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-17 12:34:56 344,064 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-05 06:54:55 144,896 -c----w c:\windows\system32\dllcache\schannel.dll
- 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys
- 2008-04-14 00:12:17 22,528 ----a-w c:\windows\system32\dllhost.exe
+ 2009-03-17 12:48:59 5,120 ----a-w c:\windows\system32\dllhost.exe
- 2008-04-14 00:12:17 242,176 ----a-w c:\windows\system32\dmadmin.exe
+ 2009-03-17 12:49:00 224,768 ----a-w c:\windows\system32\dmadmin.exe
- 2008-06-27 13:08:40 79,240 ----a-w c:\windows\system32\drivers\mfeavfk.sys
+ 2009-01-09 19:03:40 79,304 ----a-w c:\windows\system32\drivers\mfeavfk.sys
- 2008-06-27 13:08:40 35,240 ----a-w c:\windows\system32\drivers\mfebopk.sys
+ 2009-01-09 19:03:40 35,272 ----a-w c:\windows\system32\drivers\mfebopk.sys
- 2008-06-27 13:08:40 207,656 ----a-w c:\windows\system32\drivers\mfehidk.sys
+ 2009-01-09 19:03:40 213,640 ----a-w c:\windows\system32\drivers\mfehidk.sys
- 2008-06-20 12:41:38 34,152 ----a-w c:\windows\system32\drivers\mferkdk.sys
+ 2009-01-09 19:03:06 34,216 ----a-w c:\windows\system32\drivers\mferkdk.sys
- 2008-06-27 13:08:40 40,488 ----a-w c:\windows\system32\drivers\mfesmfk.sys
+ 2009-01-09 19:03:40 40,552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
- 2008-06-02 21:55:42 120,136 ----a-w c:\windows\system32\drivers\Mpfp.sys
+ 2008-10-23 20:08:54 120,136 ----a-w c:\windows\system32\drivers\Mpfp.sys
- 2008-12-18 17:31:06 111,784 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-14 13:18:50 111,784 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-12-19 09:10:15 88,064 ------w c:\windows\system32\ie4uinit.exe
+ 2009-03-17 05:37:32 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-12-19 09:10:15 31,232 ----a-w c:\windows\system32\ieudinit.exe
+ 2009-03-17 12:51:34 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-04-14 00:12:24 92,672 ----a-w c:\windows\system32\locator.exe
+ 2009-03-17 12:49:15 75,264 ----a-w c:\windows\system32\locator.exe
- 2006-01-21 23:01:22 42,496 ----a-w c:\windows\system32\Macromed\Flash\genuinst.exe
+ 2009-03-17 12:51:00 25,088 ----a-w c:\windows\system32\Macromed\Flash\genuinst.exe
- 2008-04-14 00:12:25 53,248 ----a-w c:\windows\system32\mnmsrvc.exe
+ 2009-03-17 12:49:04 32,768 ----a-w c:\windows\system32\mnmsrvc.exe
- 2009-02-12 04:56:17 21,244,872 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-25 20:54:59 24,768,960 ----a-w c:\windows\system32\MRT.exe
- 2008-04-14 00:12:27 23,552 ----a-w c:\windows\system32\msdtc.exe
+ 2009-03-17 12:49:06 23,553 ----a-w c:\windows\system32\msdtc.exe
- 2008-04-14 00:12:28 96,256 ----a-w c:\windows\system32\msiexec.exe
+ 2009-03-17 12:49:08 78,848 ----a-w c:\windows\system32\msiexec.exe
- 2008-04-14 00:12:29 128,512 ----a-w c:\windows\system32\netdde.exe
+ 2009-03-17 12:49:10 111,104 ----a-w c:\windows\system32\netdde.exe
- 2008-04-14 00:12:31 126,976 ----a-w c:\windows\system32\progman.exe
+ 2009-03-17 12:49:53 109,568 ----a-w c:\windows\system32\progman.exe
- 2008-04-14 00:12:32 80,384 ----a-w c:\windows\system32\rdpclip.exe
+ 2009-03-17 12:49:50 62,976 ----a-w c:\windows\system32\rdpclip.exe
- 2006-02-28 12:00:00 150,016 ----a-w c:\windows\system32\rsvp.exe
+ 2009-03-17 12:49:16 132,608 ----a-w c:\windows\system32\rsvp.exe
- 2008-04-14 00:12:33 113,152 ----a-w c:\windows\system32\scardsvr.exe
+ 2009-03-17 12:49:18 95,744 ----a-w c:\windows\system32\scardsvr.exe
- 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
- 2008-04-14 00:12:34 158,720 ----a-w c:\windows\system32\sessmgr.exe
+ 2009-03-17 12:49:12 158,747 ----a-w c:\windows\system32\sessmgr.exe
- 2008-04-14 00:12:35 107,008 ----a-w c:\windows\system32\smlogsvc.exe
+ 2009-03-17 12:49:21 89,600 ----a-w c:\windows\system32\smlogsvc.exe
- 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-04-14 00:12:38 90,624 ----a-w c:\windows\system32\tlntsvr.exe
+ 2009-03-17 12:49:23 73,216 ----a-w c:\windows\system32\tlntsvr.exe
- 2008-04-14 00:12:38 35,840 ----a-w c:\windows\system32\ups.exe
+ 2009-03-17 12:49:25 18,432 ----a-w c:\windows\system32\ups.exe
- 2008-04-14 00:12:38 307,200 ----a-w c:\windows\system32\vssvc.exe
+ 2009-03-17 12:49:27 289,792 ----a-w c:\windows\system32\vssvc.exe
- 2008-04-14 00:12:40 144,384 ----a-w c:\windows\system32\wbem\wmiapsrv.exe
+ 2009-03-17 12:49:29 126,464 ----a-w c:\windows\system32\wbem\wmiapsrv.exe
- 2008-04-14 00:12:40 235,520 ----a-w c:\windows\system32\wbem\wmiprvse.exe
+ 2009-03-16 21:23:12 218,112 ----a-w c:\windows\system32\wbem\wmiprvse.exe
+ 2009-03-17 13:07:58 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_784.dat
- 2000-08-31 15:00:00 73,284 ----a-w c:\windows\VFIND.exe
+ 2009-03-17 13:01:18 52,804 ----a-w c:\windows\VFIND.exe
+ 2008-04-15 17:47:33 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2009-03-17 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2277888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-06-12 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2009-03-17 05:48]

2008-06-12 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-17 06:08:42
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\progra~1\McAfee\VIRUSS~1\mcvsshld.exe
c:\progra~1\McAfee\VIRUSS~1\mcvsmap.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-03-17 6:12:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-17 13:12:39
ComboFix2.txt 2009-03-13 05:58:49

Pre-Run: 13,339,693,056 bytes free
Post-Run: 13,322,797,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

288 --- E O F --- 2009-03-17 12:51:58
Blade81
2009-03-17, 19:41
Hi

Upload following files to http://www.virustotal.com and post back the results, please:
c:\windows\system32\userinit.exe
c:\windows\system32\spoolsv.exe
c:\windows\explorer.exe
Skull001
2009-03-18, 07:16
Hello,

Here is the results for userinit.exe


Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.18 -
AhnLab-V3 5.0.0.2 2009.03.18 -
AntiVir 7.9.0.116 2009.03.17 -
Authentium 5.1.0.4 2009.03.17 -
Avast 4.8.1335.0 2009.03.17 -
AVG 8.0.0.237 2009.03.17 -
BitDefender 7.2 2009.03.18 -
CAT-QuickHeal 10.00 2009.03.18 -
ClamAV 0.94.1 2009.03.18 -
Comodo 1062 2009.03.17 -
DrWeb 4.44.0.09170 2009.03.18 -
eSafe 7.0.17.0 2009.03.17 -
eTrust-Vet 31.6.6388 2009.03.09 -
F-Prot 4.4.4.56 2009.03.17 -
F-Secure 8.0.14470.0 2009.03.18 -
Fortinet 3.117.0.0 2009.03.18 -
GData 19 2009.03.18 -
Ikarus T3.1.1.45.0 2009.03.18 -
K7AntiVirus 7.10.674 2009.03.17 -
Kaspersky 7.0.0.125 2009.03.18 -
McAfee 5556 2009.03.17 -
McAfee+Artemis 5556 2009.03.17 -
McAfee-GW-Edition 6.7.6 2009.03.17 -
Microsoft 1.4502 2009.03.17 -
NOD32 3944 2009.03.17 -
Norman 6.00.06 2009.03.17 -
nProtect 2009.1.8.0 2009.03.18 -
Panda 10.0.0.10 2009.03.18 -
PCTools 4.4.2.0 2009.03.17 -
Prevx1 V2 2009.03.18 -
Rising 21.21.20.00 2009.03.18 -
Sophos 4.39.0 2009.03.18 -
Sunbelt 3.2.1858.2 2009.03.18 -
Symantec 1.4.4.12 2009.03.18 -
TheHacker 6.3.3.0.283 2009.03.16 -
TrendMicro 8.700.0.1004 2009.03.18 -
VBA32 3.12.10.1 2009.03.17 -
ViRobot 2009.3.18.1653 2009.03.18 -
VirusBuster 4.6.5.0 2009.03.17 -
Additional information
File size: 43534 bytes
MD5...: d6afbe536f5dddc7b0bfe95649ecccc9
SHA1..: 1602902729e715ac569fc40c1d5c508d2a86e8bd
SHA256: 306f01336ceeb93f56d34a3c227dd3528904b02e4e8e9bcb5b300d8de0db636c
SHA512: 5c4f63c755437288231cd2f369e043bc997d1a1e0bbe011a82f85b5574fb1ed9
7dd10bed07c08870710c96161c8f53ff1dc7499d1efb6e9ea510f9b6fbb98c12
ssdeep: 768:eRMJi8jDLIDSAaQFxfftjaLacmkLGKOq:eRMJbDMDSA7FxffJaLaSLG9q

PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x54ad
timedatestamp.....: 0x480251a8 (Sun Apr 13 18:32:08 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x520e 0x5400 5.95 099b53205ad3f1c3b853a5310d08a9b1
.data 0x7000 0x14c 0x200 1.86 0bb948f267e82975313a03d8c0e8a1cf
.rsrc 0x8000 0x5c00 0x5000 0.69 9573830b89698276564aefa4298faf3c

( 9 imports )
> USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
> ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
> CRYPT32.dll: CryptProtectData
> WINSPOOL.DRV: SpoolerInit
> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, RtlConvertSidToUnicodeString, NtQueryInformationToken
> NETAPI32.dll: DsGetDcNameW, NetApiBufferFree
> WLDAP32.dll: -, -, -, -, -, -
> msvcrt.dll: __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _XcptFilter, _exit, _c_exit, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _cexit, exit
> KERNEL32.dll: CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary, lstrcpyW, CreateProcessW, lstrlenW, GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, ExpandEnvironmentStringsW, SearchPathW, GetLastError, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, SetEvent, OpenEventW, Sleep, SetEnvironmentVariableW

( 0 exports )
Skull001
2009-03-18, 07:23
Results for spoolsv.exe




Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.18 -
AhnLab-V3 5.0.0.2 2009.03.18 -
AntiVir 7.9.0.116 2009.03.17 -
Authentium 5.1.0.4 2009.03.17 -
Avast 4.8.1335.0 2009.03.17 -
AVG 8.0.0.237 2009.03.17 -
BitDefender 7.2 2009.03.18 -
CAT-QuickHeal 10.00 2009.03.18 -
ClamAV 0.94.1 2009.03.18 -
Comodo 1062 2009.03.17 -
DrWeb 4.44.0.09170 2009.03.18 -
eSafe 7.0.17.0 2009.03.17 -
eTrust-Vet 31.6.6388 2009.03.09 -
F-Prot 4.4.4.56 2009.03.17 -
F-Secure 8.0.14470.0 2009.03.18 -
Fortinet 3.117.0.0 2009.03.18 -
GData 19 2009.03.18 -
Ikarus T3.1.1.45.0 2009.03.18 -
K7AntiVirus 7.10.674 2009.03.17 -
Kaspersky 7.0.0.125 2009.03.18 -
McAfee 5556 2009.03.17 -
McAfee+Artemis 5556 2009.03.17 -
McAfee-GW-Edition 6.7.6 2009.03.17 -
Microsoft 1.4502 2009.03.17 -
NOD32 3944 2009.03.17 -
Norman 6.00.06 2009.03.17 -
nProtect 2009.1.8.0 2009.03.18 -
Panda 10.0.0.10 2009.03.18 -
PCTools 4.4.2.0 2009.03.17 -
Prevx1 V2 2009.03.18 -
Rising 21.21.20.00 2009.03.18 -
Sophos 4.39.0 2009.03.18 -
Sunbelt 3.2.1858.2 2009.03.18 -
Symantec 1.4.4.12 2009.03.18 -
TheHacker 6.3.3.0.283 2009.03.16 -
TrendMicro 8.700.0.1004 2009.03.18 -
VBA32 3.12.10.1 2009.03.17 -
ViRobot 2009.3.18.1653 2009.03.18 -
VirusBuster 4.6.5.0 2009.03.17 -
Additional information
File size: 57856 bytes
MD5...: b80ab4b1a18ec8540b48669273ac14ee
SHA1..: 616c17502413c930cccf6d3e39674bcdb2820c93
SHA256: 647321b104b4ae46c016782bac71c1883a03efee01f4cc5987c166056472f025
SHA512: a64356551492d6d4698d97fb147a1f054abb26048cb4a8590ef0e56441d4ec50
96e2fb528786cab73f9cd141ba6dbbd3cd550a64e5b6f57cbdb7ccd51047d00a
ssdeep: 768:FE4EVpgSavGlAMm1yMvsCeq+H8O+j8f1b1mDV3D+JMG/dXplJigo:QgSHlAM
mxUC/OUVIrOgo

PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x461b
timedatestamp.....: 0x48025ce1 (Sun Apr 13 19:20:01 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xba70 0xbc00 5.96 d9b4f450aa98b3936118e3a3c42ed657
.data 0xd000 0x13b4 0x1400 2.24 887444c39cada5bd753c428783e0009b
.rsrc 0xf000 0xe00 0xe00 6.18 8b7aa680680d5c40e90647de12607611

( 6 imports )
> ADVAPI32.dll: SetServiceStatus, RegQueryValueExW, AllocateAndInitializeSid, FreeSid, InitializeSecurityDescriptor, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, GetLengthSid, InitializeAcl, AddAccessAllowedAce, AddAccessDeniedAce, GetAce, SetSecurityDescriptorDacl, GetSecurityDescriptorLength, MakeSelfRelativeSD, RegDisablePredefinedCache, RegOpenKeyExW, RegCloseKey, RegisterServiceCtrlHandlerExW, StartServiceCtrlDispatcherW
> GDI32.dll: bMakePathNameW, GdiInitSpool, GdiGetSpoolMessage
> KERNEL32.dll: GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, GetCurrentProcessId, SetUnhandledExceptionFilter, GetModuleHandleA, GetCurrentThreadId, GetTickCount, UnhandledExceptionFilter, QueryPerformanceCounter, FreeLibrary, InterlockedExchange, GetModuleHandleW, GetLastError, ExitThread, CloseHandle, WaitForSingleObject, CreateEventW, CreateThread, ExitProcess, Sleep, OpenEventW, LoadLibraryA, InitializeCriticalSection, LocalFree, LocalAlloc, SetEvent, LeaveCriticalSection, EnterCriticalSection, SetLastError, OpenProcess, InterlockedIncrement, RaiseException, InterlockedDecrement, GetProcAddress, GetSystemDirectoryW
> msvcrt.dll: __initenv, _exit, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, _XcptFilter, wcsrchr, wcslen, _c_exit, _stricmp, _wcsnicmp, _except_handler3
> ntdll.dll: RtlValidRelativeSecurityDescriptor
> RPCRT4.dll: RpcServerRegisterIf2, I_RpcBindingIsClientLocal, I_RpcSessionStrictContextHandle, RpcRaiseException, RpcImpersonateClient, RpcRevertToSelf, NdrServerCall2, RpcServerUseProtseqEpA, I_RpcSsDontSerializeContext, RpcMgmtSetServerStackSize, RpcServerListen

( 12 exports )
YDriverUnloadComplete, YEndDocPrinter, YFlushPrinter, YGetPrinter, YGetPrinterDriver2, YGetPrinterDriverDirectory, YReadPrinter, YSeekPrinter, YSetJob, YSetPort, YSplReadPrinter, YWritePrinter
Skull001
2009-03-18, 07:28
Results for explorer.exe




Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.18 Trojan.Win32.Patched!IK
AhnLab-V3 5.0.0.2 2009.03.18 -
AntiVir 7.9.0.116 2009.03.17 -
Authentium 5.1.0.4 2009.03.17 -
Avast 4.8.1335.0 2009.03.17 -
AVG 8.0.0.237 2009.03.17 -
BitDefender 7.2 2009.03.18 -
CAT-QuickHeal 10.00 2009.03.18 -
ClamAV 0.94.1 2009.03.18 -
Comodo 1062 2009.03.17 -
DrWeb 4.44.0.09170 2009.03.18 -
eSafe 7.0.17.0 2009.03.17 -
eTrust-Vet None 2009.03.09 -
F-Prot 4.4.4.56 2009.03.17 -
F-Secure 8.0.14470.0 2009.03.18 -
Fortinet 3.117.0.0 2009.03.18 -
GData 19 2009.03.18 -
Ikarus T3.1.1.45.0 2009.03.18 Trojan.Win32.Patched
K7AntiVirus 7.10.674 2009.03.17 -
Kaspersky 7.0.0.125 2009.03.18 -
McAfee 5556 2009.03.17 -
McAfee+Artemis 5556 2009.03.17 -
McAfee-GW-Edition 6.7.6 2009.03.17 -
Microsoft 1.4502 2009.03.17 -
NOD32 3944 2009.03.17 -
Norman 6.00.06 2009.03.17 -
nProtect 2009.1.8.0 2009.03.18 -
Panda 10.0.0.10 2009.03.18 -
PCTools 4.4.2.0 2009.03.17 -
Prevx1 V2 2009.03.18 -
Rising 21.21.20.00 2009.03.18 -
Sophos 4.39.0 2009.03.18 -
Sunbelt 3.2.1858.2 2009.03.18 -
Symantec 1.4.4.12 2009.03.18 -
TheHacker 6.3.3.0.283 2009.03.16 -
TrendMicro 8.700.0.1004 2009.03.18 -
VBA32 3.12.10.1 2009.03.17 -
ViRobot 2009.3.18.1653 2009.03.18 -
VirusBuster 4.6.5.0 2009.03.17 -
Additional information
File size: 1033728 bytes
MD5...: 5a4d8cc07e31b75a8faa2ca71a891227
SHA1..: 1dbcc4d7e82ec73a768c1c4a13ca88630e51b336
SHA256: a7bfcbf62d13f1de18bb4f24b64a581113c58c4650feddb3cb226e1d4be65ea1
SHA512: c44efc217147b56736de049573f78559354a580bb2880321b503226eea5ff608
b92edb911c2b9f717da0dfac3944502cacf6ff7af35dd691f5355b6c986e7fde
ssdeep: 12288:RHmcoCUyZtwAvAs4wTCyrPTloHWYUrkf8w0Vnzac1/g/J/vMS:lmfty/wA
vN7lrvbkf8w0VnH1/g/J/k

PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1a55f
timedatestamp.....: 0x48025c30 (Sun Apr 13 19:17:04 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x44c09 0x44e00 6.38 fd89c9ce334764ffdbb62637ad9b5809
.data 0x46000 0x1db4 0x1800 1.30 983f35021232560eaaa99fcbc1b7d359
.rsrc 0x48000 0xb2268 0xb2400 6.63 95339c37646fa93e3695e06572a21889
.reloc 0xfb000 0x3800 0x3800 6.78 ec335057489badbf6d8142b57175fd91

( 13 imports )
> ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
> BROWSEUI.dll: -, -, -, -
> GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
> KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject
> msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
> ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
> ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
> OLEAUT32.dll: -, -
> SHDOCVW.dll: -, -, -
> SHELL32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
> SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -
> USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
> UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed

( 0 exports )
Skull001
2009-03-18, 07:31
While I was navigating to C:\Windows\system32\ McAfee was showing many popups saying at least 20 + file were cleaned and it was reported as W32 Virut.n.gen Virus. Hopefully this info will help.

Thanks.
Blade81
2009-03-18, 11:16
While I was navigating to C:\Windows\system32\ McAfee was showing many popups saying at least 20 + file were cleaned and it was reported as W32 Virut.n.gen Virus. Hopefully this info will help.

Yes, that will definitely help. Unfortunately, you probably won't like what I'm going to tell you.

Virut is file infector and system infected with it can be only reformatted.

You may use external usb drive (if you own one) for backuping after you've first made sure it doesn't carry Virut.

1. Download Flash_Disinfector (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe) and save it to your Desktop of your clean system.
2. After downloading, double-click on Flash_Disinfector to run it.
3. Just follow the prompts and continue until it begin scanning.
4. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
5. It will scan removable drives, wait for the scan to finish. Done.

After that run Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/us/languages/english/check.html?n=1225554235248) on clean machine to check your USB drive.

If Kaspersky doesn't find anything bad on USB drive then you can use it to backup stuff from infected system keeping in mind that these filetypes are not allowed:
-.exe
-.scr
-all web page files (.htm, .html, .asp, .aspx etc.)
-archived files (.zip & .rar) with any of above mentioned file types inside
Skull001
2009-03-19, 22:29
Hello,

Now I'm having trouble trying to Boot from the CD Drive to try to format and reinstall XP Pro. Do you think the Virus is affecting the computer to prevent the reinstallation?
Skull001
2009-03-20, 07:14
Hello Blade81,

Well, I was finally able to format the HD using the 6 floppy disk method of installing a new OS, and I'm finally clean. Thanks for taking your time to look over my Hijackthis log.

Take care,

Skull001
Blade81
2009-03-20, 13:21
Since this issue appears to be resolved ... this Topic has been closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.